Re: [dnsext] Possible DNSSECbis clarifications

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nice thought:
Should an SOA record be signed anyway ?
The SOA is only a signaling record, and the result is never going to be
used by any application.
The header (including the ad bit) is also not signed, and the DNSKEY
record does not need to be signed with a ZSK.

On 28-03-11 11:28, Mark Andrews wrote:
> 
> In message <4D9042DA.30002@ogud.com>, Olafur Gudmundsson writes:
>>
>> Dear colleagues,
>>
>> The following is a result of a side conversation on the interpretation
>> of RFC403x with number of DNS colleagues.
>> Any mistakes in the questions are mine.
>>
>> The questions are:
>> 1) What is the valid order of signed RRsets?
>> 2) How many times SHOULD/MUST RRSIG(SOA) appear in an AXFR?
>> 3) What RRSIG(SOA)'s MUST appear on the wire in an IXFR transaction?
>>
>>
>> Q1) A: In RFC403x there is no order requirement on an signed RRset thus 
>> implementations should be ready to handle any combination
>> Following Examples should be treated as the same RRset
>> 	RR1		RR3		RRSIG2
>> 	RR2		RRSIG1		RR2
>> 	RR3		RR1		RR3
>> 	RRSIG1		RR2		RRSIG1
>> 	RRSIG2		RRSIG2		RR1
>>
>>
>> Q2) In AXFR the SOA record is used as a marker record to signal the 
>> beginning of a zone transfer and the end of the zone transfer.
>> The open question is how many times should RRSIG(SOA) appear in the
>> AXFR stream ?
>> 	a) Only once
>> 	b) Both times
>> 	c) Does not matter both are ok.
>>
>> if the answer is a) then the question is when should it appear,
>> 	i) in the beginning after the SOA
>> 	ii) at any time in the AXFR
>> 	iii) just before the final one.
>> 	iv) after the final one.
> 
> All records with the exception of the SOA should appear once but
> multiple should be handled. This is covered in AXFR clarify. The
> record should be between the SOA records.  The SOA records bookend
> the zone transfer.
>  
>> Q3) In IXFR there are multiple SOA records used as maker both on the 
>> overall transaction and on each delta.
>> The questions here are:
>> Which RRSIG(SOA) i.e. for each serial number, are needed ?
>> 	a) All of them once
>> 	b) all of them each time SOA appears
>> 	b) only the final one, all the other ones are immaterial
>> 	  (open question is how often and where)
>> 	c) The first and last one and each only once,
>> 	   the first one is needed to identify what to delete from
>> 	   the zone, the final one is what is going to be in the
>>             zone after the IXFR is applied.
> 
> IXFR contains sets of deltas which consist of the *records* that
> have changed in the zone.  Assuming a properly signed zone you
> will have the final SOA, the starting SOA, RRSIGs of the starting SOA + any
> other changes, the next (possibly final) SOA, the RRSIGs of the SOA
> that apply to that and any other changes,  possibly the next delta,
> .... then the final SOA.
> 
>> Is there need put this information in dnssec-bis (the answer to the AXFR 
>> question may update RFC5936) and in IXFR-bis document ?
> 
> No.
>  
>> 	Olafur
>>
>> _______________________________________________
>> dnsext mailing list
>> dnsext@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsext

- -- 
Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren@sidn.nl  xmpp:antoin@jabber.sidn.nl
http://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNkFY/AAoJEDqHrM883Agn8BoH/0b2dC+h7H6rMJaYqv7NabEv
jC61tUM41XCBN9K71H1ZTT0JUkMGjpLdqbSrqRNoGQSPqRR9ZlUg+pSe44v1t6X4
0ZvyPtXfVA/9AESwmzS+HztOwShsvhYyp2fWvlAkFcnP/8mNHkHCuuzAi8LFubx+
8QdE1bqRSeiByTn4GZ1vaSRTxt2aKcHM5CJ6VrgERTCjt6hEd7xxrIqUqxOiR4+Q
ecRbX5D+i0x3GEal1W4Xgqa5jLwQfaNN1Euog4ftNWBIpFa+e+/pgjXTbDVGz8Zv
1hSzXdyguIAsICu0WKdEd8J11TNj5XYKitO2JXXjUKAQmsFN75s6ETTQIYZv4Ps=
=SEF+
-----END PGP SIGNATURE-----